Listen to the article
Substack has disclosed a significant security lapse after a four-month delay in uncovering a breach that exposed contact details of around 700,000 users, raising concerns over platform security and response times.
Substack has disclosed that an unauthorised party gained access to user contact information in an intrusion that occurred in October 2025 but was not identified until early February 2026, a lapse the company says lasted roughly 120 days. According to reporting by TechCrunch and TechRadar, the data exposed included email addresses, telephone numbers and unspecified internal metadata, though Substack maintains that payment details and account credentials were not taken. (TechCrunch; TechRadar)
The company said it discovered the activity on February 3 and has since patched the vulnerability it believes was exploited. Substack CEO Chris Best said, “On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata.” Reporting from DataConomy and The Cyber Express confirms the firm has opened an investigation into the incident and is conducting remediation. (DataConomy; The Cyber Express)
Industry coverage places the number of affected accounts at roughly 700,000, representing a sizeable slice of the platform’s audience and creators. TechCrunch and TechRadar note that Substack has not publicly defined the full contents of the “internal metadata” referenced in its statement, a category that often encompasses items such as subscription status, account creation timestamps and IP logs. (TechCrunch; TechRadar)
Security commentators have highlighted the four‑month detection interval as a serious shortcoming for a company that stores mass contact lists. Analysis in The Meridiem and TechRadar contrasts Substack’s 120‑day dwell time with enterprise expectations, where detection is typically measured in hours or days, and warns that such delays give attackers extended opportunity to copy and weaponise datasets for spear‑phishing or SMS‑based social engineering. (The Meridiem; TechRadar)
This episode follows Substack’s 2020 disclosure error in which recipient addresses were exposed when messages were sent in CC rather than BCC, an incident that prompted public apology and commitments to improve processes. Multiple outlets report that Substack has reiterated its commitment to bolstering security and to notifying affected users while urging vigilance against suspicious communications that could exploit the leaked contact details. (TechLoy; TechCrunch)
While Substack says there is no current evidence the harvested information has been misused, security specialists recommend subscribers and creators treat unexpected messages with caution, enable any available account protections and report suspected phishing attempts to the platform. TechCrunch and DataConomy both report that Substack has promised further measures to prevent recurrence as its inquiry continues. (TechCrunch; DataConomy)
Source Reference Map
Inspired by headline at: [1]
Sources by paragraph:
Source: Fuse Wire Services
Access Our Exclusive Research
In-depth analysis and actionable data to keep you ahead of the curve.
Never Miss an Update. Get our latest research delivered straight to your inbox.